feat: only allow bundled preload scripts (#17308)

2019-03-28 11:38:51 +01:00 · 2019-03-28 11:38:51 +01:00 · 8cf15cc931
commit 8cf15cc931
parent 3d307e5610
11 changed files with 79 additions and 3 deletions
--- a/lib/browser/rpc-server.js
+++ b/lib/browser/rpc-server.js
@ -3,6 +3,7 @@
 const electron = require('electron')
 const { EventEmitter } = require('events')
 const fs = require('fs')
+const path = require('path')
 const util = require('util')

 const v8Util = process.electronBinding('v8_util')
@ -19,6 +20,7 @@ const guestViewManager = require('@electron/internal/browser/guest-view-manager'
 const bufferUtils = require('@electron/internal/common/buffer-utils')
 const errorUtils = require('@electron/internal/common/error-utils')
 const clipboardUtils = require('@electron/internal/common/clipboard-utils')
+const { isParentDir } = require('@electron/internal/common/path-utils')

 const hasProp = {}.hasOwnProperty

@ -498,12 +500,24 @@ ipcMainUtils.handle('ELECTRON_BROWSER_CLIPBOARD', function (event, method, ...ar
 })

 const readFile = util.promisify(fs.readFile)
+const realpath = util.promisify(fs.realpath)
+
+let absoluteAppPath
+const getAppPath = async function () {
+  if (absoluteAppPath === undefined) {
+    absoluteAppPath = await realpath(electron.app.getAppPath())
+  }
+  return absoluteAppPath
+}

 const getPreloadScript = async function (preloadPath) {
  let preloadSrc = null
  let preloadError = null
  if (preloadPath) {
    try {
+      if (!isParentDir(await getAppPath(), await realpath(preloadPath))) {
+        throw new Error('Preload scripts outside of app path are not allowed')
+      }
      preloadSrc = (await readFile(preloadPath)).toString()
    } catch (err) {
      preloadError = errorUtils.serialize(err)